Caldarale, Charles R wrote:
From: Aditi Sinha [mailto:adisinha0...@gmail.com]
Subject: Need help to understand CVE-2007-0450
We have a web server hosted on Tomcat 7.0.22.
The tool was able to access the Tomcat manager application with the
following URL :
http://localhost:8080/scripts/\../manager/html
As per Tomcat security documents the issue is not present in Tomcat 7.
Is there anything wrong in our web application deployment?
As documented here:
http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.10
there are two Java system properties that control behavior of Tomcat with
regard to such URLs. Make sure neither is enabled.
Just barging in here with my own question : is the above really to be considered as a
Tomcat failure ?
The call is made directly to Tomcat from localhost (obviously), which is allowed for the
Manager application.
The URL, as stated, seems valid to me. It will just result in "/scripts/../manager/"
being equivalent to "/manager/", and the resulting URL is correct and allowed.
I fail to see the problem (but I may be missing something).
The special properties mentioned above address an issue where there is a front-end Apache
server proxying to Tomcat, and which would have only "/scripts/" proxied to Tomcat.
This would allow the call to be proxied (because it matches "/scripts", and then resolved
by Tomcat to a non-proxied (but valid) context.
But I think that the case above is different, as there is apparently no proxy
involved.
(And anyway, if this was ever an issue, in my opinion it would have more to do with a
proxy module weakness - or a lax configuration - than with Tomcat per se).
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
